VMWARE / VDI malware Protection Symantec, Trend and Mcafee

by butsch 24. February 2015 06:21

Symantec Endpoint Protection still has no Agentless Virus scan version like Trend or Mcafee with Move. Those use VSHIELD API from VMware and need no direct Software running in the VM. (http://www.vmware.com/pdf/vshield_55_admin.pdf)

BUT test have shown that even with the Agent in the VM/VDI Symantec SEP 12.X is faster in daily tracking, stable status, scanning but only slow if the machine does Virus pattern updates once a day.

Keep in mind that most virus producers only update the main definitions once a day (mcafee 17:00 CET) and the rest is GTI/0-day releases on all three.

So even with the Agent in VDI machines you over the thumb get more or even performance.

Also keep in mind that Virus API like the one from Microsoft has been sources for a lot of trouble, false events and fights the last few years. You can decide if you want that between:

  1. your antivirus producer and MS

    OR

  2. Between your antivirus producer and VMWARE

To mention on that part would be a solution with Hypervisor which mixes up things again.

The problem in general may be not so actual since Netapp and all the new companies who come out with Flash/SSD Storage try to solve it on the other side.

Gartner Magic Quadrant

http://blogs.antivirussales.ca/en/blog/gartner-magic-quadrant-for-endpoint-protection-platforms/

Mentioned products in terms of VM in those articles:

MCAFEE:

McAfee's Management for Optimized Virtual Environments (MOVE) has offered optimized anti-malware scanning in virtualized environments for two years, and now MOVE 2.5 offers agentless anti-malware scanning in VMware environments using native vShield API integration.

Symantec:

Symantec does not yet offer an "agentless" version for optimizing anti-malware scanning in virtualized environments (although its shared Insight cache feature can be used to improve performance).

2012 Symantec SEP 12.1 and Mcafee MOVE under VMware 5.X

http://www.acmehk.net/report_download/Tolly212130SymantecSEP12dot1VMwareAVPerformance.pdf

2012 Symantec SEP 12.1 and Trend

http://www.symantec.com/connect/sites/default/files/Tolly212117SymantecSEP12_TRendDS8_VMwareAVPerformance.pdf

Back in 2011 Trend was faster

2011 Symantec SEP 11, Trend and Mcafee

http://www.trendmicro.com/cloud-content/us/pdfs/business/reports/rpt_test_deep-security-7.5-vs-mcafee-and-symantec_tolly.pdf

 

Tags:

APP-V | Mcafee VSE, EPO, DLP | VMWare

APP-V: Debug App-V Environment from package

by butsch 8. December 2013 02:08

 

On an APP-V Client crate a shortcut to the Desktop of the Existing APP-V Application you would like to debug.

 

Open the Properties of the Shortcut change the TARGET as marked and include

/EXE cmd.exe

Between

sftray.exe"

and

/launch.exe

Existing Target:

"C:\Program Files\Microsoft Application Virtualization Client\sfttray.exe" /launch "LeechFTP 1.3.1.202"

New Target for Command line Box (Changes red)

"C:\Program Files\Microsoft Application Virtualization Client\sfttray.exe" /exe cmd.exe /launch "LeechFTP 1.3.1.202"

If you open that Link now you are inside the Bubble and are able to check code, Path or Registry Keys.

 

 

 

Here is how to CHECK what may be wrong inside the BUBBLE.

Download and copy PROCMON.EXE PROCEXP.EXE from Technet/Microsoft/Systernals.

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

 

If you WANT to DEBUG as Domain user without special rights (Why is it slow as USER and not as Administrator)

you may have to RUN procmon.exe with RUNAS. be sure to use /NONPROFILE otherwise the MON will see diffrent data.

 Exclude the PROCESS you don't need. You SEE WANT TO see like vmware, virus protection, winlogon, windows services etc.

  

 

You want to check the Virtuell EXE itself:

Example: GIMP-2.6.exe

 

Also check the APP'V process itself:

SFTLIST.EXE

SFTTRAY.EYE

If the TRY to write files/open files or change Files on the Q: Drive that they may not have access as the Logged on user.

If you FOUND the file which the PROCESS has no Change permission OPEN the APPV package

Example FILE made problems: users30.mpm

Change the Sequencer File type from "Application Data" to "user data" and REDO the package

Tags:

APP-V | Client Management | Deployment

Microsoft APPV package Recipe for Irfanview 4.x

by butsch 16. May 2013 00:43

16.05.2013, Version 4.3X, Sequence Irfanview for Windows 7 64BIT

  1. Download all Binaries from the Website www.irfanview.com
  2. Download the Plugins you want
  3. Download the Language files you want

Start sequencing on your clean machine.

  1. Install Irfanview to the Path q:\irfan.001
  2. Copy over the Plugins and the language Files to the correct paths

Place the language files in:

Place the plugins in:

Path used:

Q:\irfan.001

Path for Plugins:

Q:\irfan.001\Irfanview\plugins (Copy the Plugin .DLL into this path)

Without Registering the DLL's the package will run as "Local Admin" or "Domain Admin" but NOT as regular user. As example if you open a Postscript EPS

File or press the button under Options / Plugins you may receive an error. To prevent this do following command during sequencing and also press the mentioned Plugins buttons

In "Picture 2 below" once to make sure the Software does load all components. . Please adapt your package path (irfan.001)

 

regsvr32.exe /s Q:\irfan.001\Plugins\8BF_Filters.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Ansi2Unicode.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Awd.dll

regsvr32.exe /s Q:\irfan.001\Plugins\B3d.dll

regsvr32.exe /s Q:\irfan.001\Plugins\BabaCAD4Image.dll

regsvr32.exe /s Q:\irfan.001\Plugins\CADImage.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Crw.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Dicom.dll

regsvr32.exe /s Q:\irfan.001\Plugins\DjVu.dll

regsvr32.exe /s Q:\irfan.001\Plugins\EAFSH.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Ecw.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Effects.dll

regsvr32.exe /s Q:\irfan.001\Plugins\EMail.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Exif.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Exr.dll

regsvr32.exe /s Q:\irfan.001\Plugins\FFactory.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Flash.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Flash4.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Formats.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Fpx.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Ftp.dll

regsvr32.exe /s Q:\irfan.001\Plugins\FUNLTDIV.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Hdp.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Ics.dll

regsvr32.exe /s Q:\irfan.001\Plugins\ImPDF.dll

regsvr32.exe /s Q:\irfan.001\Plugins\IPTC.dll

regsvr32.exe /s Q:\irfan.001\Plugins\JPEG2000.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Jpg_transform.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Jpm.dll

regsvr32.exe /s Q:\irfan.001\Plugins\KDC120.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Lcms.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Ldf.dll

regsvr32.exe /s Q:\irfan.001\Plugins\LogoManager.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Lwf.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Med.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Mng.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Mp3.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Mpg.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Mrc.dll

regsvr32.exe /s Q:\irfan.001\Plugins\MrSID.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Nero.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Paint.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Photocd.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Pngout.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Postscript.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Quicktime.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Ra_player.dll

regsvr32.exe /s Q:\irfan.001\Plugins\RegionCapture.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Sff.dll

regsvr32.exe /s Q:\irfan.001\Plugins\SoundPlayer.dll

regsvr32.exe /s Q:\irfan.001\Plugins\Video.dll

 

Also there comes « add-ware » starting with version 4.3 ? Google Toolbar and chrome. The author prevents the popups until some date. Here is how to get rid of it:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Google\No Chrome Offer Until]

[HKEY_LOCAL_MACHINE\SOFTWARE\Google\No Toolbar Offer Until]

 

Change that value to some date in the future like from "20130914" to "20200101" (Year 2020)

 

Picture 2

Also During Sequencing press these buttons below once. See if it working as it should:

 

 

Tags:

APP-V | Deployment

APPV How to call a script/batch FROM within the APPV bubble

by butsch 6. May 2013 05:17

Insert following Text as example into the Filename.OSD to run a script from wtihin the APPV package

After:  </IMPLEMENTATION>

<DEPENDENCY>
  <CLIENTVERSION VERSION="4.6.0.0"/>
    <SCRIPT EVENT="LAUNCH" TIMING="PRE" TIMEOUT="0" PROTECT="TRUE" ABORTRESULT="-1" SUCCESSRESULT="1" EXTERN="TRUE">
      <SCRIPTBODY>@call \\\\apv01\\scripts$\\pabs\\check.cmd \n </SCRIPTBODY>
      <SCRIPTBODY>if exist "C:\Program Files (x86)\Pabsnet\pabs.exe" (exit 0) else exit 1 </SCRIPTBODY>
    </SCRIPT>
 </DEPENDENCY>

 

 

Tags:

APP-V

APPV: Hot to identify Microsoft office 2010 deployment kit for appv

by butsch 29. August 2012 02:02

How to identify Microsoft office 2010 deployment kit for appv. This is useful if you have APPV Packages for Visio or Project.

Before you can run those you need to pre-install Microsoft office 2010 deployment kit for appv with Software Deployment.

The APPV packages should not show up before the basis software is installed.

 

Here are some flags to check from the MSI package: OffVirt.msi, Version: 14.0.4763.1000

Tags:

APP-V | Deployment